Current Awareness: Net Neutrality—Tweeting Corporate Information—SEC Cybersecurity Enforcement

AMENDMENTS TO NEWLY PASSED CALIFORNIA CONSUMER PRIVACY ACT SIGNED INTO LAW

By: Lexis Practice Advisor Attorney Team

GOVERNOR EDMUND G. BROWN SIGNED A BILL AMENDING the California Consumer Privacy Act (CCPA) just weeks after its hasty enactment in June (SB 1121) and days before the state legislature ended its 2018 session.

Governor Brown signed the original bill on June 28, a week after its introduction and just hours after its unanimous approval by the State Assembly and Senate. The wide-ranging law gives consumers greater control over how businesses can use their personal information. Under the new law, consumers will have the right to request that businesses disclose how their personal information is used and to ask that personal information be deleted under some circumstances.

The law was fast-tracked by the legislature in return for a pledge by consumer advocates to abandon their campaign to place an initiative bearing the same name on the November 2018 ballot.

At the time of the bill’s signing, legislators conceded that amendments would be necessary to address concerns raised by consumer advocacy and business groups. California Attorney General Xavier Becerra weighed in as well citing “several unworkable obligations and serious operational challenges” imposed on his office by the statute. Becerra said that “failure to address these identified flaws will undermine California’s authority to launch and sustain vigorous oversight and effective enforcement of the CCPA’s critical privacy protections.”

Among the most notable amendments included in the so-called “cleanup bill” are an extension of the deadline for the adoption of regulations by the attorney general from January 1, 2020 to July 1, 2020 and a provision barring the attorney general from enforcing the statute until the sooner of six months after the finalization of regulations or July 1, 2020. Hogan Lovells Partner Mark Brennan says the amendments do not go far enough. “it’s like a fresh coat of paint in the basement of a crumbling house. There are so many important issues to address, and the recent amendments overlook the vast majority of them. It’s time to work on the foundation.”

The amendments also remove the requirement that a citizen notify the attorney general within 30 days of filing a private cause of action under the statute. However, consumers are still required to notify businesses 30 days before filing a complaint.

In other changes:

• The list of exempted information is expanded to include protected health information collected by entities subject to the Health Information Portability and Accessibility Act (104 P.L. 191) and/or the California Confidentiality of Medical Information Act (Cal. Civ. Code § 56).
• Data collected as part of a clinical trial subject to the Federal Policy for the Protection of Human Subjects (45 C.F.R. 46) is exempted from the statute.
• Information “collected, processed, sold, or disclosed” pursuant to the Driver’s Privacy Protection Act of 1994 (18 U.S.C.S. § 2721), the Gramm-Leach-Bliley Act (106 P.L. 102), or the California Financial Information Privacy Act (Cal. Fin. Code § 4050) is exempted regardless of whether there is a conflict between those statutes and the CCPA.

Brennan says the following sections of the legislation need to be revised, “I hope the legislature squares away the employee and HR data issues, and quickly. A lot of companies could benefit from clear guidance on those points before we get too far along in the 2019 compliance preparation process.” In addition, he notes, “Another area ripe for revision is the anti-discrimination provision, which as currently drafted is too heavy-handed for competitive markets. Even monopoly-era ‛common carriers’ had more service offering and pricing flexibility than the CCPA would provide.”

Additional amendments are expected when the legislature reconvenes in early January.

This article was written by the Lexis Practice Advisor Attorney Team with analysis included by Mark W. Brennan, Hogan Lovells US LLP. A partner in Hogan Lovells’ Washington, D.C. office, Mark Brennan leads an integrated technology practice that spans privacy, communications, and consumer protection issues.

To find this article in Lexis Practice Advisor, follow this research path:

RESEARCH PATH: Data Security & Privacy > Privacy Policies > Articles

Challenges to California Net Neutrality Statute On Hold Pending D.C. Circuit Ruling

IN RETURN FOR A PROMISE BY THE STATE OF CALIFORNIA to delay enforcement of its new net neutrality statute, the U.S. Department of Justice and several telecommunications industry groups have agreed to put on hold their suits challenging the statute’s constitutionality until after resolution of a suit seeking review of new federal net neutrality rules issued by the Federal Communications Commission (FCC) earlier this year.

Under the California statute, SB 822, which was signed into law just before the end of the California legislature’s 2018 session in September, internet providers will not only be barred from blocking or slowing down websites and services, but will also be prohibited from charging new fees and engaging in zero rating, the practice of exempting favored sites and services from customer data caps. The new statute, the strictest state proposal to date, is a response to a January 2018 order issued by the Federal Communications Commission (FCC) repealing its own 2015 order and rules governing broadband providers.

The debate over net neutrality has been building for years, sparked by complaints that carriers like AT&T and others were blocking cell phone users from making Skype calls or throttling the speed of services like Hulu or Netflix in an effort to coerce customers into paying for their services instead. In response the FCC in 2015 issued Protecting and Promoting the Open Internet, 30 FCC Rcd 5601 (2015), classifying broadband internet access as a “telecommunications service” subject to common carrier requirements under the Federal Communications Act (FCA) (47 U.S.C.S. § 151). The FCC adopted rules prohibiting broadband providers from blocking, throttling down, or otherwise discriminating against lawful internet content. Those rules barely lasted two years. In December 2017, the FCC voted to repeal the net neutrality guarantees, a move FCC Chairman Ajit Pai hailed as a boon to consumers, saying it would spur innovation, competition, and investment from broadband providers.

In January 2018, the FCC issued Restoring Internet Freedom, 33 FCC Rcd 311 (2018), returning to the pre-2015 classification of broadband internet access as an “information service” exempt from regulation as a common carrier under the FCA and repealing the 2015 regulations.

That same month, 21 states and the District of Columbia filed a petition for review in the U.S. Court of Appeals for the District of Columbia Circuit (State of New York v. FCC, No. 18-1013, D.C. Cir.). “State Petitioners seek a determination by this Court that the Order is arbitrary, capricious, and an abuse of discretion within the meaning of the Administrative Procedure Act, 5 U.S.C. § 701 et seq; violates federal law, including, but not limited to, the Constitution, the Communications Act of 1934, as amended, and FCC regulations promulgated thereunder; conflicts with the notice-and-comment rulemaking requirements of 5 U.S.C. § 553; and is otherwise contrary to law.” A hearing on the petition is scheduled in the D.C. Circuit for February. “The FCC ruling has an explicit provision forbidding states from adopting their own net neutrality laws,” says University of California law professor Ash Bhagwat. “It’s not ambiguous. It’s not unclear. The fight is over whether the FCC has the power to do that.”

There is no easy reading of the tea leaves on which way that battle will go. Bhagwat says there is no federal law that clearly lays out when, where or even if federal agencies have the power to preempt state laws. To make matters worse, there is no clear precedent from previous court rulings, which he says are all “all over the place.”

Some opponents of the California law point to a 1978 law by Congress that deregulated the airline industry while also prohibiting states from enacting their own regulations. But supporters argue that those rules were enacted by Congress, not issued arbitrarily by a federal agency. “If Congress had specifically authorized the FCC to preempt state law, I’m pretty confident the FCC would win this case,” Bhagwat says. “But they didn’t do that, so now everything is in question.”

The governor’s signature on the California bill was hours old when the U.S. Department of Justice (DOJ) filed suit on Sept. 30, arguing that it is preempted by the 2018 order and seeking to enjoin its enforcement (U.S. v. State of California, No. 2:18-at-01539, E.D. Calif.). “The 2018 Order recognized that ‘regulation of broadband Internet access service should be governed principally by a uniform set of federal regulations, rather than by a patchwork that includes separate state and local requirements,’ and that such requirements ‘could impose far greater burdens’ than the FCC’s ‘calibrated federal regulatory regime,’ and threaten to ‘significantly disrupt the balance’ the agency struck,” the DOJ argued.

In a statement, then-U.S. Attorney General Jeff Sessions accused the state of overstepping its authority and vowed to fight “with vigor” to have the new law tossed aside. “Under the Constitution, states do not regulate interstate commerce—the federal government does,” he said. “We are confident that we will prevail in this case because the facts are on our side.”

On Oct. 3, four industry associations—American Cable Association, the Wireless Association, the Internet & Television Association, and US Telecom—filed their own suit, calling the law a “classic example of unconstitutional state regulation” and seeking declaratory and injunctive relief (American Cable Association v. Becerra, No. 2:18-at-01552, E.D. Calif.). The industry plaintiffs echoed the preemption and constitutionality arguments raised by the DOJ and contended that the California statute’s requirements “will result in financial losses and other injuries that members can never recoup from the State.” Further, the industry plaintiffs argued, the harm “will only multiply as other states enact net neutrality legislation, and different agencies and courts in different states interpret and enforce each state’s requirements differently.” In a statement, the group said the law “threatens to negatively affect services for millions of consumers and harm new investment and economic growth.” Consumer advocacy groups disagreed, arguing that allowing telecoms to suppress competitors would actually stifle competition and innovation by preventing smaller startups from gaining headway in the marketplace. Civil rights groups also complained, citing the power of the internet companies to limit free speech if they so desired.

Both suits are now suspended pending resolution of the action before the D.C. Circuit Court, including any related appeals. If the court rules against the FCC, most of California’s new law could become moot because the original net neutrality rules would again be in place. Those rules, however, did not include the ban on zero rating contained in California SB 822.

Meanwhile, California is not the only state to address the net neutrality issue through legislation. According to the National Conference of State Legislatures, 30 states have introduced more than 72 net neutrality measures so far this year. Measures containing varying degrees of net neutrality protection have been successfully enacted in Washington, Oregon, and Vermont. While a number of proposed bills have failed, legislation is still pending in Illinois, Massachusetts, New Jersey, New York, North Carolina, Pennsylvania, Rhode Island, South Carolina, and Wisconsin. The governors of Montana, Hawaii, New Jersey, New York, Rhode Island, and Vermont have issued executive orders imposing net neutrality requirements on companies doing business with their state governments.

In addition, in 13 states and the District of Columbia, legislators have introduced resolutions opposing the repeal of the net neutrality rules, urging Congress to pass legislation reinstating the 2015 rules, and expressing support for general net neutrality rules.

Finally, on Nov. 5, the U.S. Supreme Court denied a petition for review of a ruling by the Court of Appeals for the District of Columbia Circuit upholding the Obama-era net neutrality rules (U.S. Telecom Association v. FCC, No. 17-504). While the decision lacks practical implications since the rules are no longer in effect, net neutrality advocates hailed it as a victory for their cause.

See State Net updates for tracking the latest progress on Net Neutrality legislation across the United States. ¹

Adapted and updated by Lexis Practice Advisor from State Net Capital Journal article by Rich Ehisen. ²

To find this article in Lexis Practice Advisor, follow this research path:

RESEARCH PATH: Data Security & Privacy > Industry Compliance > Articles

1. For State Net Updates on Net Neutrality: https://www.lexisnexis.com/communities/state-net/b/capitol-journal/archive/2018/10/12/states-seek-to-maintain-net-neutrality.aspx?utm_campaign=State+Net+Capitol+Journal+Newsletter&utm_medium=email&utm_source=newsletter&utm_term=State+Net&utm_content=Volume+XXVI+No.+31+-+October+15+2018. 2. Article courtesy of http://www.lexisnexis.com/statenet. Please direct inquiries to statenet@lexisnexis.com. Copyright © 2018 LexisNexis. State Net is a registered trademark and State Net Capitol Journal News & Views from the 50 States is a trademark of RELX Inc. No part of this document may be copied, photocopied, reproduced, translated or reduced to any electronic medium or machine readable form, in whole in in part, without prior written consent of RELX Inc.

SEC's Action Against Elon Musk Highlights the Importance of Care in Tweeting Corporate Information

By: Joel L. Rubinstein, R. Cabell Morris, and James J. Junewicz

PUBLIC COMPANY EXECUTIVES HAVE INCREASINGLY turned to posting on Twitter and other social media outlets to connect with their companies’ customers and investors on a wide variety of topics. The informal nature of social media can result in these postings being treated with less seriousness than formal company news releases or filings with the Securities and Exchange Commission (SEC). The SEC’s recent actions against Elon Musk, the chairman and CEO of Tesla, Inc., and Tesla itself should be a wake-up call to public company executives and boards that regularly use social media. If there ever was any doubt, the SEC has made it clear that social media posting by company executives should be treated with the same seriousness as any other corporate disclosures and should be subject to the same disclosure policies and procedures as more formal forms of corporate communication.

On September 27, 2018, the SEC charged Elon Musk with violating federal anti-fraud rules for making a series of tweets on August 7, 2018, regarding taking Tesla private. ¹ The SEC alleged that the tweets were false and misleading and noted that from the time of Musk’s first tweet until the close of that day’s trading, Tesla’s stock price increased by more than 6% and closed up 10.98% from the previous day. The relief sought by the SEC included seeking to bar Musk from serving as an officer or director of a public company. Tesla’s stock price dropped 14% as a result of the SEC’s announcement of its lawsuit.

Two days later, on September 29, the SEC announced that it had also charged Tesla with violating an SEC rule that requires Tesla to maintain disclosure controls and procedures that meet specified standards and at the same time announced the settlement of both lawsuits. ²

The settlements require comprehensive governance reforms at Tesla and the payment of $20 million in fines by both Musk and Tesla. In particular, the governance reforms include (1) the replacement of Musk as chairman of the board of directors of Tesla, (2) the addition of two independent directors to the Tesla board, and (3) the creation of a new committee of independent directors along with additional controls and procedures to monitor Musk’s future communications. The SEC press release did not detail the precise nature of these additional controls and procedures.

The SEC’s complaint against Musk focused on his now famous tweet on August 7, 2018: “Am considering taking Tesla private at $420. Funding secured.” Over the next three hours he published a series of additional tweets, including that “Investor support is confirmed. Only reason why this is not certain is that it’s contingent on a shareholder vote.” The SEC alleged that these tweets were false and misleading and violated Rule 10b-5 under the Securities Exchange Act of 1934 because Musk had no basis for these assertions. For example, the SEC charged that “When he made these statements, Musk knew that he had never discussed a going-private transaction at $420 per share with any potential funding source.” ³ According to the complaint, Musk’s apparent primary basis for his tweets was a single 30-45 minute meeting on July 31 with a sovereign investment fund, which Tesla’s CFO joined midway through the meeting. According to the SEC, “[t]he July 31 meeting lacked discussion of even the most fundamental terms of a proposed going-private transaction.” ⁴ Finally, the SEC alleged that before broadcasting his tweets to his more than 22 million Twitter followers ⁵ on August 7, “Musk did not consult with Tesla’s Board of Directors, any other Tesla employees, or any outside advisers about these tweets before publishing them.” ⁶

Takeaways

1. In case there ever was any doubt, it should now be clear to public company directors and officers that imprudent tweets and other social media posting relating to material corporate information can be just as dangerous as an improper disclosure in SEC filings or formal corporate press releases. The SEC has long held that the anti-fraud provisions apply just as forcefully to tweets and social media postings as they do to conventional press releases and SEC filings. ⁷ All disclosures by company executives relating to material corporate actions or information, regardless of form or forum, should be the subject of rigorous due diligence and careful drafting because, as the SEC’s action makes clear, they are subject to the same liability rules. Well-advised public companies have “disclosure controls and procedures” designed to weed out improper disclosures in SEC reports and press releases. There is no reason not to subject CEO and other senior-management tweets, Facebook posts, and any other communications via other public media to the same disclosure controls and procedures when those communications are being used to communicate material corporate information. The SEC noted Tesla’s responsibility for Musk’s Twitter account by referring to a Form 8-K Tesla filed on November 5, 2013, stating that the company intended to use Musk’s Twitter account to disclose material information about the company and its products and services.

In its press release announcing the settlement, the SEC emphasized the importance of subjecting tweets and social media postings to adequate controls and procedures, especially when a company has told the investment community that it will use social media outlets to announce corporate information, stating that:

[D]espite notifying the market in 2013 that it intended to use Musk’s Twitter account as a means to announcing material information about Tesla and encouraging investors to review Musk’s tweets, Tesla had no disclosure controls or procedures in place to determine whether Musk’s tweets contained information required to be disclosed in Tesla’s SEC filings. Nor did it have sufficient processes in place to [determine] that Musk’s tweets were accurate or complete.

2. Following sound disclosure principles will also enable other members of the management team to intelligently field calls from the investment media about tweets from the CEO without making mistakes or appearing flat-footed. The SEC alleged that Tesla’s head of investor relations, in response to a call from a media representative, at first doubled down on Musk’s tweet by telling a research analyst: “. . . we can’t add anything else. I . . . wanted to stress that Elon’s first tweet, which mentioned ‘financing secured,’ is correct.” ⁸ Later, he backpedaled, saying “I actually don’t know [the nature of the financing commitment], but I would assume that given that we went full-on public with this, the offer is as firm as it gets.” ⁹

3. In a statement accompanying the SEC’s announcement of the settlement, the SEC’s chairman, Jay Clayton, emphasized that “when companies and corporate insiders make statements, they must act responsibly, including endeavoring to ensure the statements are not false or misleading and do not omit information a reasonable investor would consider important in making an investment decision.” The SEC’s action makes clear that it will not go easy on careless disclosures by corporate officers simply because the company’s shareholders may ultimately suffer. Indeed, although not mentioned by Clayton, this is a reason “key person” risk factors have been common for years in IPO prospectuses for companies led by high- profile CEOs, but too often dismissed as merely a backhanded compliment to the CEOs themselves. Yet, in a clear reference to the fact that the SEC’s settlements allowed Musk to continue as CEO, Clayton also noted that the SEC’s enforcement efforts can have the effect of harming ordinary investors as “the skills and support of certain individuals may be important to the future success of a company.” So while holding high-profile individuals like Musk personally responsible is an effective regulatory means of deterrence, Clayton supported the settlements as reflecting a balancing of “these multiple interests and considerations.”

4. Shareholders may now ask, “Where were the directors in all of this?” when assessing the fallout that has occurred and likely will continue. The SEC’s settlement of the Musk and Tesla cases confirms not only that companies must ensure that their disclosure policies and procedures adequately regulate social media postings, but also that independent directors have a special and heightened responsibility to manage and try to correct CEO behavior once CEOs exhibit a proclivity for off-the-cuff communications. In such a situation, independent directors should insist on the ability to hire their own counsel and make sure the counsel they select has no connection to the company or CEO. It may mean that directors need to have a frank conversation with the offending executive about the need to comply with the company’s disclosure policies and procedures, and the underlying securities laws and rules, which the executive may not find intuitive. Above all, the directors must have the fortitude to call the CEO on the carpet if there are violations and insist on conduct that observes the company’s disclosure policies and procedures and protects the best interests of shareholders.

Joel L. Rubinstein is chair of Winston & Strawn LLP’s Capital Markets Practice. Joel has broad experience in corporate and securities matters, representing clients in public offerings and private placements of securities, complex business transactions, including private and public company mergers and acquisitions, and in organizing and investing in private investment funds. He has particular experience in transactions involving special purpose acquisition companies. Cab Morris concentrates his practice at Winston & Strawn LLP in securities and mergers and acquisitions. Featured in the Best Lawyers in America for securities and capital markets for the last four years, Cab regularly represents underwriters in public securities offerings. Over the years, he has handled more than 20 initial public offerings for companies in various industries. He also advises on M&A transactions. James J. Junewicz is a partner in Winston & Strawn LLP’s Chicago and New York offices who focuses his practice on securities offerings, mergers and acquisitions, and corporate governance. Formerly Assistant General Counsel of the U.S. Securities and Exchange Commission, Jim represents companies and underwriters in debt and equity offerings, regularly handles major cross-border merger and acquisition transactions, and advises boards of directors on governance and takeover issues.

To find this article in Lexis Practice Advisor, follow this research path:

RESEARCH PATH: Capital Markets & Corporate Governance > Corporate Governance and Compliance Requirements for Public Companies > Compliance Controls > Articles

1. U.S. Securities and Exchange Commission v. Elon Musk, C. A. 1:18-cv-8865 (S.D.N.Y. Sept. 27, 2018) (Complaint). 2. SEC Press Release, Elon Musk Settles SEC Fraud Charges; Tesla Charged With and Resolves Securities Law Charge (Sept. 29, 2018). 3. Complaint at 3. 4. Complaint at 18-21. 5. Complaint at 68. 6. Complaint at 32. 7.See Commission Guidance on the Use of Company Websites, Release No. 34-58288, IC-28351; File No. S7-23-08; Fed. Sec. L. Rep. (CCH) (Aug. 1, 2008). 8. Complaint at 51. 9. Complaint at 52.